To:
"Scott Rose" <scottr@antd.nist.gov>
Cc:
"Olaf M. Kolkman" <olaf@ripe.net>, "Bill Manning" <bmanning@isi.edu>, <dnssec@cafax.se>
From:
Johan Ihren <johani@autonomica.se>
Date:
18 Oct 2002 20:38:32 +0200
In-Reply-To:
<007b01c2707d$2c4f1b80$b9370681@antd.nist.gov>
Sender:
owner-dnssec@cafax.se
User-Agent:
Gnus/5.0808 (Gnus v5.8.8) Emacs/20.3
Subject:
Re: root zone signing and key lengths/lifetimes
"Scott Rose" <scottr@antd.nist.gov> writes: Hi Scott, I'm trying to catch up, sorry for being so late. > Mainly I was wondering why the draft set up frequency of key > rollovers. Not that it's a huge technical problem. Although the > human nature side of me is reminded that the more frequent the > operation, the more frequent human error creeps in. I'd much prefer to have possible human error manifest itself in a scheme that a) is clearly marked as interim and a bit experimental b) has no keys drifting around that people have reason to believe will live for a long time c) comes at a time when the number of resolvers that will set the DNSSEC OK bit are still close to zero Furthermore I'd much prefer to force a certain beat to the rollovers to get experience with the mechanism and whether it works or not. To have the first ever rollover of the root key 12 or 18 months into a possible large scale DNSSEC deployment (if there will ever be such a thing) is a rather scary concept to me. Johan